JRequest::getCmd() filters the 'task' request variable so any bad characters will be removed. Furthermore, the controller execute() method will only execute methods that are flagged as public in the controller. How is that insecure? Chris Davenport 20:04, 17 March 2011 (UTC)